Thanks Phil, Suspected as much, I've checked the previous Samba mailing lists but can't see much, I'll give it a go anyway, posted here as it may have been a common issue, or someone may have jumped up and said "highly experimental feature X/ *libwbclient?* fixes that".. Thanks again Andy
Anything inside the EAP tunnel doesn't like you playing with the username though, so we can't do UPN based MSCHAPv2 lookup - UPN format doesn't work, as far as I can tell, with the ntlm_auth program and I can't update the username. I can force the mschap auth process to use an alternative user name, but the hash then doesn't work, and I can't work out how to update the mschap:user-name. All this is
Altering the in-packet username or the username on the ntlm_auth command line is futile; as you've indicated, the client does the crypto on the basis of the UPN, and that's what you need to pass to ntlm_auth so that it can be in turn passed to the DC and mixed into the chal/resp verification/calculation correctly. I was under the impression that ntlm_auth should work with a UPN where LHS != samaccountname, but it's really a Samba question - I'd suggest asking on the Samba list. I don't have any easy way to test locally I'm afraid. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html